Class: BuildEnvironmentAttestation
An attestation describing the integrity of a build environment at the time a specific build was dispatched and executed. Used to verify that a build ran in the expected, untampered environment.
URI: slsa:BuildEnvironmentAttestation
classDiagram
class BuildEnvironmentAttestation
click BuildEnvironmentAttestation href "../BuildEnvironmentAttestation/"
Statement <|-- BuildEnvironmentAttestation
click Statement href "../Statement/"
BuildEnvironmentAttestation : _type
BuildEnvironmentAttestation : attestationStorageUri
BuildEnvironmentAttestation : buildEnvLevel
BuildEnvironmentAttestation --> "0..1" BuildEnvLevelEnum : buildEnvLevel
click BuildEnvLevelEnum href "../BuildEnvLevelEnum/"
BuildEnvironmentAttestation : buildId
BuildEnvironmentAttestation : buildImage
BuildEnvironmentAttestation --> "0..1" BuildImage : buildImage
click BuildImage href "../BuildImage/"
BuildEnvironmentAttestation : measurements
BuildEnvironmentAttestation : predicate
BuildEnvironmentAttestation : predicateType
BuildEnvironmentAttestation : signingTool
BuildEnvironmentAttestation : sigstoreLogEntry
BuildEnvironmentAttestation : subject
BuildEnvironmentAttestation --> "1..*" ResourceDescriptor : subject
click ResourceDescriptor href "../ResourceDescriptor/"
Inheritance
- Statement
- BuildEnvironmentAttestation
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| buildId | 1 String |
An immutable identifier uniquely assigned to a build execution (e | direct |
| buildImage | 0..1 BuildImage |
The build image from which the build environment was instantiated | direct |
| measurements | * String |
Cryptographic measurements (hashes) of build environment components captured ... | direct |
| buildEnvLevel | 0..1 BuildEnvLevelEnum |
The SLSA Build Environment Level supported or represented, reflecting the str... | direct |
| _type | 1 String |
Always "https://in-toto | Statement |
| subject | 1..* ResourceDescriptor |
The set of software artifacts to which a predicate applies | Statement |
| predicateType | 1 String |
URI identifying the schema and semantics of the predicate field | Statement |
| predicate | 0..1 String |
The attestation payload — an arbitrary JSON object whose schema is fully dete... | Statement |
| attestationStorageUri | 0..1 String |
URI indicating where this signed attestation is publicly stored or retrievabl... | Statement |
| signingTool | 0..1 String |
URI or name of the tool used to cryptographically sign the artifact or attest... | Statement |
| sigstoreLogEntry | 0..1 String |
URI of the Rekor transparency log entry recording this attestation or artifac... | Statement |
In Subsets
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/slsa
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | slsa:BuildEnvironmentAttestation |
| native | slsa:BuildEnvironmentAttestation |
LinkML Source
Direct
name: BuildEnvironmentAttestation
description: An attestation describing the integrity of a build environment at the
time a specific build was dispatched and executed. Used to verify that a build ran
in the expected, untampered environment.
in_subset:
- slsa_build_env_track
from_schema: https://w3id.org/lmodel/slsa
is_a: Statement
slots:
- buildId
- buildImage
- measurements
- buildEnvLevel
Induced
name: BuildEnvironmentAttestation
description: An attestation describing the integrity of a build environment at the
time a specific build was dispatched and executed. Used to verify that a build ran
in the expected, untampered environment.
in_subset:
- slsa_build_env_track
from_schema: https://w3id.org/lmodel/slsa
is_a: Statement
attributes:
buildId:
name: buildId
description: An immutable identifier uniquely assigned to a build execution (e.g.,
a UUID). Links a BuildEnvironmentAttestation to the corresponding build provenance.
in_subset:
- slsa_build_env_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: buildId
owner: BuildEnvironmentAttestation
domain_of:
- BuildEnvironmentAttestation
range: string
required: true
buildImage:
name: buildImage
description: The build image from which the build environment was instantiated.
in_subset:
- slsa_build_env_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: buildImage
owner: BuildEnvironmentAttestation
domain_of:
- BuildEnvironmentAttestation
range: BuildImage
inlined: true
measurements:
name: measurements
description: Cryptographic measurements (hashes) of build environment components
captured during boot and initialization, used to verify integrity against known-good
reference values.
in_subset:
- slsa_build_env_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: measurements
owner: BuildEnvironmentAttestation
domain_of:
- BuildEnvironmentAttestation
range: string
multivalued: true
buildEnvLevel:
name: buildEnvLevel
description: The SLSA Build Environment Level supported or represented, reflecting
the strength of the integrity guarantees provided.
in_subset:
- slsa_build_env_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: buildEnvLevel
owner: BuildEnvironmentAttestation
domain_of:
- BuildImage
- BuildEnvironmentAttestation
range: BuildEnvLevelEnum
_type:
name: _type
description: Always "https://in-toto.io/Statement/v1". Identifies the in-toto
statement schema version and namespace.
in_subset:
- slsa_build_track
- slsa_source_track
- slsa_build_env_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: _type
owner: BuildEnvironmentAttestation
domain_of:
- Statement
range: string
required: true
subject:
name: subject
description: The set of software artifacts to which a predicate applies. Each
entry MUST contain a digest.
in_subset:
- slsa_build_track
- slsa_source_track
- slsa_build_env_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: subject
owner: BuildEnvironmentAttestation
domain_of:
- Statement
range: ResourceDescriptor
required: true
multivalued: true
inlined: true
inlined_as_list: true
predicateType:
name: predicateType
description: URI identifying the schema and semantics of the predicate field.
Used to distinguish different attestation types (e.g., SLSA Provenance vs. Verification
Summary Attestation).
in_subset:
- slsa_build_track
- slsa_source_track
- slsa_build_env_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: predicateType
owner: BuildEnvironmentAttestation
domain_of:
- Statement
range: string
required: true
predicate:
name: predicate
description: The attestation payload — an arbitrary JSON object whose schema is
fully determined by predicateType.
in_subset:
- slsa_build_track
- slsa_source_track
- slsa_build_env_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: predicate
owner: BuildEnvironmentAttestation
domain_of:
- Statement
range: string
attestationStorageUri:
name: attestationStorageUri
description: 'URI indicating where this signed attestation is publicly stored
or retrievable. No universal standard for attestation storage location was established
in SLSA v1.0; Sigstore and VCS-embedded storage are two common approaches. Explicitly
recording this URI addresses the storage ambiguity identified as a significant
adoption barrier: practitioners reported uncertainty about where generated attestations
should be stored (Tamanna et al., 2024, LF.1).'
in_subset:
- slsa_build_track
- slsa_source_track
- slsa_build_env_track
- slsa_adoption_study
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: attestationStorageUri
owner: BuildEnvironmentAttestation
domain_of:
- Statement
range: string
signingTool:
name: signingTool
description: URI or name of the tool used to cryptographically sign the artifact
or attestation (e.g., "https://github.com/sigstore/cosign", "https://github.com/notaryproject/notation").
In the SSF reference architecture the Signing Service layer is distinct from
the Build Service; recording the signing tool enables verifiers to select the
matching verification workflow. For Sigstore keyless signing the value should
be the Cosign release URI.
in_subset:
- slsa_build_track
- slsa_source_track
- slsa_ssf
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: signingTool
owner: BuildEnvironmentAttestation
domain_of:
- Statement
range: string
sigstoreLogEntry:
name: sigstoreLogEntry
description: URI of the Rekor transparency log entry recording this attestation
or artifact signature (e.g., "https://rekor.sigstore.dev/api/v1/log/entries/24296fb...").
The Rekor log provides an immutable, auditable record of signing events that
underpins Sigstore keyless signing. Verifiers can fetch this entry to confirm
the cryptographic signature was recorded in the public-good log and obtain the
signing certificate chain issued by Fulcio. Recording this URI enables offline
and third-party verification without requiring direct access to the original
signing key.
in_subset:
- slsa_build_track
- slsa_source_track
- slsa_ssf
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: sigstoreLogEntry
owner: BuildEnvironmentAttestation
domain_of:
- Statement
range: string